Version(s): 1.3, 1.4 Description: dong-hun you from INetCop Security reported several vulnerabilities in Gld. A remote user can obtain root privileges. The 'server.c' file contaisn several buffer overflows. A remote user can supply specially crafted input to trigger a buffer overflow and execute arbitrary code. The 'cnf.c' file contains several format string vulnerabilities, where user-supplied data is not properly validated and is passed to a syslog() call without the appropriate format string specifier. A remote user can supply specially crafted input to execute arbitrary code with root privileges. Impact: A remote user can execute arbitrary code with root privileges. Solution: No solution was available at the time of this entry.
auditors and/or net-mail please advise.
despite the various "this is safe" comments in the source code, it hasn't been thought out so well. perl -e 'print "request=" . ("x" x 2000) . "\n\n"' | nc localhost 2525 Overflow at: server.c:265 strcpy without proper length checks (despite comments in the code which say otherwise). attacker decides what lands on the stack, so its easily exploitable.
Has upstream been informed about this?
Bummer, cached page here. 1.5 is released today. net-mail please bump.
I'll do it.
Default config IS affected -> upgrading severity. net-mail please provide a better default than this: # # Shall we bind only to loopback ? (0=No,1=Yes) (default is 0) # LOOPBACKONLY=0 # # The list of networks allowed to connect to us (default is everybody) # The format is network/cidrmask,.... # # Uncomment the line to activate it. # #CLIENTS=192.168.168.0/24 172.16.0.0/19 127.0.0.1/32
net-mail please also fix the default user. Right now the default config make it run with root privs: # # The user used to run gld (default value is no user change) # uncomment the line to activate it. # #USER=nobody # # The group used to run gld (default value is no group change) # uncomment the line to activate it. # #GROUP=nobody
Ebuild for 1.5 in portage, x86 stable.
amd64 please test and mark stable ASAP.
amd64 please cvs up if you're already started: [12:56:33] <@Ticho> jaervosz: updated the gld ebuild, since it installed few files in wrong places
It seems to work just fine on a busy amd64 mailserver I admin. Marked stable on amd64.
Thx everyone. This one is ready for glsa.
GLSA 200504-10